Analysis
-
max time kernel
49s -
max time network
100s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
-
submitted
28-10-2024 08:46
General
-
Target
Orcus.exe
-
Size
3.0MB
-
MD5
37128f8c34f0e2112cb6c60d2fe8d4c6
-
SHA1
42d4240892b4fcb2b5332fb70210238aa4070f6a
-
SHA256
8667faa80b6d3e4126e5e9e60b6e2f755f5388c5554e7b6fd59bcd5a342326ad
-
SHA512
f0387c7f8d4d74fc378599918cee295abf14e0cc3983a4e1681a7d40ba4b5af519a0bfec7244d2e081588590e421711dc412b3e32cb17c0a6b9db9a0d0656b88
-
SSDEEP
49152:uBpEKO3T5adZKM0sz5otCeEvsDKx+msbfGGW8wlBKJwAypQxbxEo9JnCmmLNrZEu:uBptODUKTslWp2MpbfGGilIJPypSbxEt
Malware Config
Extracted
orcus
Roblox
89.23.100.155:1337
fa9ce586702b4090bcb834980fda0474
-
autostart_method
Registry
-
enable_keylogger
true
-
install_path
%programfiles%\Windows\MpDefenderCore.exe
-
reconnect_delay
10000
-
registry_keyname
MpDefender
-
taskscheduler_taskname
MpDefender
-
watchdog_path
AppData\xdwdwatchdog.exe
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 3 IoCs
-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcus family
-
UAC bypass 3 TTPs 3 IoCs
-
Orcurs Rat Executable 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Using powershell.exe command.
-
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 1 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
-
Drops file in System32 directory 3 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 53 IoCs
-
Suspicious use of SendNotifyMessage 53 IoCs
-
Suspicious use of WriteProcessMemory 30 IoCs
-
System policy modification 1 TTPs 7 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Orcus.exe"C:\Users\Admin\AppData\Local\Temp\Orcus.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\_udxjai8.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6C57.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6C56.tmp"3⤵
-
-
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe" --install2⤵
- Executes dropped EXE
- Drops file in System32 directory
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 62⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 02⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 62⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 62⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 22⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe"1⤵
- Executes dropped EXE
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\ZXRNENRX-20241023-1428a.log1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\ZXRNENRX-20241023-1428a.log1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SDRSVC1⤵
-
C:\Users\Admin\AppData\Local\Temp\Orcus.exe"C:\Users\Admin\AppData\Local\Temp\Orcus.exe"1⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jeld1fki.cmdline"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESECAE.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEC9D.tmp"3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD53eb3833f769dd890afc295b977eab4b4
SHA1e857649b037939602c72ad003e5d3698695f436f
SHA256c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485
SHA512c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72
-
Filesize
1KB
MD55e22dd1cda88782a1f52f76e748ef957
SHA13231826619a06fa541e2bfb21da445bd7013b5ac
SHA25673302eedcdcfa0f9639f0d00e50c19f7ff4b7bab9df431cfee38e4b94bd4ecec
SHA51275039c01812a7c0bef9fc2d0b4b8867c9acf2daf6a8ade8171d8edc7c0a2ff11488554d30397fee424922346394f14eef7518943db769c35e6916bee26f16498
-
Filesize
1KB
MD50f1bf4207c100442afb6f174495b7e10
SHA177ab64a201e4c57bbda4f0c3306bee76e9513b44
SHA256c7787523a0e006d3ef2401f20248f6cfa69769804d402b75e04fcec463741f4d
SHA51229bdea5620c07bae69fa2bbd9c198b7309dbd275a1251ee306e2eb28584d0c40f3d112b4c91b281fe722e711ceef0f4cdf0bd72118a54e263f6500bcf9040d94
-
Filesize
64B
MD5235a8eb126d835efb2e253459ab8b089
SHA1293fbf68e6726a5a230c3a42624c01899e35a89f
SHA2565ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686
SHA512a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92
-
Filesize
1KB
MD531c8aa6a4016fec60d055aab3fb5aa87
SHA1e28011f40573a0947834cc2b6e8c910d61fcfe4e
SHA25667b9bbb7d6fda1c25beee33ba13e9b1411187fee6a5dd104587842133d00b556
SHA5129e649e47e1c585d5c77423253c646e14d6d846744c0e90756f92c7a844a8db80a0a701e2de34d10555f3e94928a1bdcdc4f825a847974898739a166255e171a3
-
Filesize
1KB
MD5cfd9d509a98219fc38bad273e9235511
SHA18a2d1e28eb60c54af4bd4a4b083be930f72d6230
SHA256d9fc4c4263d42bce42d25119c0edfb77828e5bb2b5708a04e1563bb968d9da29
SHA5122c2c9419311ec13b26b47d1523d51b7e29c00c85ef82fcfecdd7bd6d9dcbf07195f4bd705b0d74911436ba3cedaa928f5d4b9947f480934c11f0855e80b6024f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
76KB
MD548487176ab86a6bbf2f3388ec1aa7bc4
SHA138d4ea081f55db22f96f4361b41048936a10b8cb
SHA256a28cd75fed9f7add3eae4f203e4b3e9d4a0902e8f30de0e7e83e9534307be4e5
SHA512704020e5333fccb3054bd77c9383b5dbdc0fe7add07ae047f16ad904790e8728f37b4c88e22b8639450b92b57444628a15d504a19e0ec3d03da59d84cd81eb64
-
Filesize
76KB
MD53541450d5f9dcded636a90f3626c46c9
SHA117700aed3ce8df667f638847f5c7a70d4e0e0f2f
SHA2560990a12afe1cd3102404535ae050463eda040c49f81247901080072fd2935439
SHA512a6938280348ca90539a674c255ec0a1911df18aa163e4231c0db70d0b65669f55c16cf8feb1e72af91977ccfd5593d80e2ea102cbc34ea51fa8b20493ae5a728
-
Filesize
21KB
MD5f6285edd247fa58161be33f8cf662d31
SHA1e2b49bca43cd0bd6cc1eee582ba58f0ed6de1470
SHA256bc16993d1a774793044ca37eb2ce84ecbdb5c578e3c710ed82879e07dcef2fec
SHA5126f3e6073a1dafc679da1caa4a4c9cb7cc2da79c3f81034d7b7b7b1d855fd5421cbb517a7d3f9520f49d4d3b7f9577f4f8f92486994c8b78fabff5033b390a788
-
Filesize
349B
MD589817519e9e0b4e703f07e8c55247861
SHA14636de1f6c997a25c3190f73f46a3fd056238d78
SHA256f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13
SHA512b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3
-
Filesize
676B
MD57d9e899fe032b33628cfba9f294e001a
SHA1d69372f9e9ca9651127e02c6bce1a5567cb7c9fb
SHA25622d02bb4090cf2db451ed1ae4c762ca8d62054b822304b80facabd43b22aa09f
SHA5127e3b143cb3c4d04617bb7607a0294cd6253450243fcc72a2ba69340bbea5851313cfdb938f7bbef71e2066b32c51bdbfd65e8e22822110d0ff0fd2ab22a66e10
-
Filesize
676B
MD5236a240bdb1b71df082aaa5e7ad17c1f
SHA1c3cfb5537125c3b3d296627ee362ef85b6e17519
SHA256ce6e2a90d295d8b27f507a38f0588aed47f7a99e5c40a55a48fc6dbff724f25d
SHA5126303932dab788bca7b663bfbe24d8cd879ad88389db6173e47647e97943e0bb14710319f109aa89688b92ba7744f8a775f94da88a99ac8bf2c176ebe67185960
-
Filesize
208KB
MD59f9a87651e0be26a41fd197288ece4b5
SHA1f7a9b0cf95d7a3527d04c263218949eb9257b0c1
SHA256b7687607450476e814643b5ee917d83135231e979bc80aef0957b9ebc464273b
SHA5123c83f7ff8060a831088c2a311188c3ffc0f82d6151d9db586d533f18b1658e5c3672a5eeb47829fc4c2c4c1adc740af81a2136780a1347a1bc11ac736c1bc610
-
Filesize
349B
MD57453d99a5c7a1b0ab561097aab185345
SHA11ce8ab58cb3d675c1293af6df6cb1e8eb6088d0f
SHA2562920667fa6626aa3680c0b1bceb501a29cdf3ea4dd39b57351fb86066a96c2c6
SHA5122a3446e7a98b946bf51da2aa774f57a8604942e18fefbb6f796f5b0c377670852d3dfb7f344cb61f542b000e48133fe7101c5178806e6457b7dbe10b552b309d
-
Filesize
208KB
MD5d7d7b8421bb6335c392670e1ad861e04
SHA1bc3e62c825a08d775797a38551603d575dd45dee
SHA2561ca0268837e6f174db7203bdaa8cecf01db4dcb3ab0978fbe01172568978aa36
SHA51264f4be3a893f3e9d6991cfac14b8b0273f568a830173fab3ce8a9f85e0f69aea2d07932e69e22265da8a1608cb1903e576b29dfd3053e8b3d08532ce16aa23b1
-
Filesize
349B
MD5e90a0de54918f2ac9f032e290139e704
SHA1b11ac4411fd132dd78db837f4d4f6ab81152e333
SHA256e52a3f707354f6079e9e79d2958b0b4fb887330fa9a85a8b7c22c7a17c0367a7
SHA512c10be310a61614c08a01428e9746fcff3866965ebbc9d97ad74506f182e01af1abde3efde63fc733a0f67342b79e04817f5abc2c2b12e46609a6295017a85900
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
1.0MB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
464KB
-
Filesize
192KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
528KB
-
Filesize
56KB
-
Filesize
3.0MB
-
Filesize
712KB
-
Filesize
580KB
-
Filesize
736KB
-
Filesize
568KB
-
Filesize
9.6MB
-
Filesize
176KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
128KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
88KB
-
Filesize
9.6MB
-
Filesize
624KB
-
Filesize
96KB
-
Filesize
88KB
-
Filesize
168KB
-
Filesize
4.8MB
-
Filesize
48KB
-
Filesize
128KB
-
Filesize
152KB
-
Filesize
256KB
-
Filesize
248KB
-
Filesize
176KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
144KB
-
Filesize
160KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
56KB
-
Filesize
80KB
-
Filesize
64KB
-
Filesize
48KB
-
Filesize
160KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
80KB
-
Filesize
96KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
56KB
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
112KB
-
Filesize
80KB
-
Filesize
104KB
-
Filesize
48KB
-
Filesize
56KB
-
Filesize
96KB
-
Filesize
72KB
-
Filesize
56KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
112KB
-
Filesize
112KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
72KB
-
Filesize
56KB
-
Filesize
40KB
-
Filesize
168KB
-
Filesize
160KB
-
Filesize
120KB
-
Filesize
152KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
56KB
-
Filesize
368KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
136KB